1. Field of the Invention
This invention relates to the field of information networks, and more particularly relates to a method and apparatus for providing security groups based on the use of tunneling.
2. Description of the Related Art
Flexible network access technologies such as wireless, Dynamic Host Configuration Protocol (DHCP), virtual private network (VPN) gateways and the like allow users access to a given protected network from a variety of access or entry points. This is true of all manner of networks, including enterprise networks, service provider networks and the like. At the same time, the security afforded while providing such access is of increasing concern. Technologies based on Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS), the DIAMETER protocol and other protocols allow a user to be authenticated upon entry to the network. However, the network access that a user is permitted is conventionally based on the group(s) to which the user belongs, the role(s) assigned to the user by the enterprise, the privilege(s) the user has as an ISP customer or similar criteria.
FIG. 1 is a block diagram illustrating a network 100 of the prior art and the components thereof, in which such authentication protocols are employed to authenticate users. Network 100 includes an internetwork 110 that a number of clients (depicted as clients 112, 114 and 116) access in order to gain access to a server 120. Clients 112, 114 and 116 access internetwork 110 via a switch 130, which is, in turn, coupled to an ingress router 140. Ingress router 140, in providing access to internetwork 110, is communicatively coupled to an egress router 150, which, in turn, is coupled to server 120. Note that, for the sake of simplicity, the paths between ingress router 140 and egress router 150 through internetwork 110 do not explicitly depict the routers and/or other network devices that are typically interspersed along such paths. As is apparent from FIG. 1, each of clients 112, 114 and 116 can communicate with server 120 over a separate network path, or can use the same path through network 100.
These network paths, while they may traverse some or all of the same network devices (i.e., physical segments), the paths are conceptually separate (e.g., can be viewed as separate virtual paths), and are controlled separately using, for example, access control lists (ACLs). Conventionally, constraints upon access enjoyed by users, such as those that might access network 100, have been enforced by ACLs, which are used to process packets and so control such network traffic. For scalability and manageability, conventional ACLs require the mapping of a user host address (as the source of the given packet(s); for example, an internet protocol (IP) address) to be relatively static.
It would appear that ACLs in various parts of the network would have to be updated each time a user authenticated to the network to add rules associated with the source IP address assigned to this user's host, and the rules would be specific to that user, a huge increase in the number of ACLs and the rate at which they would have to be updated. Moreover, because platforms using content-addressable memories (CAMs) to implement ACLs require recompiling of some or all of the ACLs when any change is made, the increases in processing cost can be quite severe, approaching a quadratic in the number of users. Finally, because the ACLs controlling access to a service are typically at the “other side” of the network from the user (namely the protecting egress router connecting to a particular server or set of servers), communication is required from ingress access point to each potential egress router upon each new user authentication. Given the foregoing, particularly in light of the increasingly flexible access that is required now and will be required in the future, as well as the limited size and availability of IP addresses to organizations, it is generally infeasible to rely on such ACL-based solutions.
What is required, then, is a mechanism that allows for the communication of identifying information regarding the group(s) or role(s) associated with a host, without the need to alter packet formats to support this communication. Preferably, such an approach should employ a standardized packet format without requiring any additional fields for communicating the requisite information beyond those already provided in that standardized format. Also preferably, such an approach should be compatible with existing networking equipment already deployed and not require changes to that networking equipment.